Applies To:

Show Versions Show Versions

Manual Chapter: Session Variables
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The rules in an access policy store the values that the actions return in session variables. A session variable contains a number or string that represents a specific piece of information.
You can use the session variable strings in the visual policy editor, to customize a rule for a specific action in an access policy. For more information on configuring access policy rules with session variables, see Assigning variables, and Using advanced access policy rules.
When you use session variables, you typically write them in custom rules, in the Tcl language, or you use them in the variable assign action.
Table C.1, Session variables for BIG-IP Access Policy Manager, contains the session variables returned by access policy actions.
Table C.2, Special purpose user session variables, contains special purpose session variables that provide functions in a user session, but are not returned by specific access policy actions.
Table C.3, Network access resource configuration variables and attributes, contains all the session variables generated by a network access resource, and the formats of those variables, for use with the variable assign action.
Note: When using session variables in an access policy configuration, for example, in a logging agent, a session variable may or may not exist depending on the result of the access policy process.
You write rules in Tcl. Although this appendix is not an exhaustive reference for writing and using Tcl expressions, it includes some common operators and syntax rules. Tcl expressions begin with the syntax expr. For more information, see http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm.
Note: You use iRules on the BIG-IP system to provide functionality to the BIG-IP system components. Tcl commands specific to iRules are not available in access policy rules.
You can use Tcl standard operators with most BIG-IP® Access Policy Manager rules. You can find a full list of these operators in the Tcl online manual, at http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm.
- + ~ !
Unary minus, unary plus, bit-wise NOT, logical NOT. None of these operators may be applied to string operands, and bit-wise NOT may be applied only to integers.
**
Exponentiation. Valid for any numeric operands.
* / %
Multiply, divide, remainder. None of these operators may be applied to string operands, and remainder may be applied only to integers. The remainder will always have the same sign as the divisor and an absolute value smaller than the divisor.
+ -
Add and subtract. Valid for any numeric operands.
<< >>
Left and right shift. Valid for integer operands only. A right shift always propagates the sign bit.
< > <= >=
Boolean less than, greater than, less than or equal to, and greater than or equal to. Each operator produces 1 if the condition is true, 0 otherwise. These operators may be applied to strings as well as numeric operands, in which case string comparison is used.
== !=
Boolean equal to and not equal to. Each operator produces a zero/one result. Valid for all operand types.
eq ne
Boolean string equal to and string not equal to. Each operator produces a zero/one result. The operand types are interpreted only as strings.
in ni
List containment and negated list containment. Each operator produces a zero/one result and treats its first argument as a string and its second argument as a Tcl list. The in operator indicates whether the first argument is a member of the second argument list; the ni operator inverts the sense of the result.
&
Bit-wise AND. Valid for integer operands only.
^
Bit-wise exclusive OR. Valid for integer operands only.
|
Bit-wise OR. Valid for integer operands only.
&&
Logical AND. Produces a 1 result if both operands are non-zero, 0 otherwise. Valid for boolean and numeric (integers or floating-point) operands only.
||
Logical OR. Produces a 0 result if both operands are zero, 1 otherwise. Valid for boolean and numeric (integers or floating-point) operands only.
x?y:z
If-then-else, as in C. If x evaluates to non-zero, then the result is the value of y. Otherwise the result is the value of z. The x operand must have a boolean or numeric value.
A rule operator compares two operands in an expression. In addition to using the Tcl standard operators, you can use the operators listed below.
contains - Tests if one string contains another string.
ends_with - Tests if one string ends with another string.
equals - Tests if one string equals another string.
matches - Tests if one string matches another string.
matches_regex - Tests if one string matches a regular expression.
starts_with - Tests if one string starts_with another string.
switch - Evaluates one of several scripts, depending on a given value.
and - Performs a logical "and" comparison between two values.
not - Performs a logical "not" action on a value.
or - Performs a logical "or" comparison between two values.
This table includes session variables and related reference information for each session variable that you can use with Access Policy Manager.
0 - Failed
1 - Passed
Result of the Active Directory authentication attempt.
0 - Failed
1 - Passed
Users attributes retrieved during Active Directory query. Each attribute is converted to a separate session variable.
Users group attributes retrieved during Active Directory query. Each group attribute is converted to a separate session variable.
Result of the LDAP authentication attempt.
Users attributes retrieved during AD query. Each attribute is converted to a separate session variable.
0 - Failed
1 - Passed
Result of the RADIUS authentication attempt.
User attributes retrieved during RADIUS authentication. Each attribute is converted to a separate session variable.
"access_
denied"
The result of the access policy. The result is the ending; for this ending, the result is access_denied.
The result of the access policy. The result is the ending; for this ending, the result is redirect.
The URL specified in the redirect, for example, "http://www.siterequest.com"
The result of the access policy. The result is the ending; for this ending, the result is webtop.
session.policy.result.webtop.
network_access.autolaunch
The resource that is automatically started for a network access webtop
"network_access"
The type of webtop resource. The webtop type can be network_access or web_application.
1 - Indicates at least one Antivirus matches the criteria
non-0 integer - Date of last database update (seconds since 1/1/1970)
0 - User chooses option 2 on the decision page, which corresponds to the fallback rule branch in the action
Set when files on the client meet the configured attributes.
1 - At least one firewall matches the criteria
0 - Failure
1 - Success
-1 - Invalid check expression
0 - Failure
1 - Success
-1 - Invalid check expression
"SP2KB12345KB54321"
A list of installed SP and KB fixes for Internet Explorer
"SP2KB12345KB54321"
Resource allocation
"groupname1 groupname2"
A space-delimited list of assigned resource groups. This list is generated based on the list of assigned resource groups.
Client certificate authentication
0 - certificate does not exist
1- certificate exists
Session management
0 - full
1 - miniHTML
2 - iMode
3 - XML
4 - WML
5 - WAP
6 - PocketPC
"ie"
"firefox"
"standalone"
"Win"
"Win98"
"WinME"
"Win2k"
"WinXP"
"WinVI"
"Linux"
"MacOS"
"PocketPC"
"WinCE"
The client platform as determined by HTTP headers.
A space-delimited list of assigned ACLs. This variable is created to store the list of ACLs. To modify the list of ACLs with the variable assign action or an advanced access policy rule, modify the previous session variable, session.assigned.acls.
xxx.xxx.xxx.xxx
For example, 192.168.12.10
The informational variable that stores the client IP address assigned by Access Policy Manager.
xxx.xxx.xxx.xxx
For example, 192.168.12.10
To change the client IP address, modify this variable. Because session.assigned.clientip is informational only, this is the variable that allows you to modify the client IP address.
admin_terminated
logged_out
timed_out
An informational variable that stores the reason the session was terminated.
A space-delimited list of assigned resource names. This list is generated based on the list of assigned resource groups.
The informational Universally Unique Identifier for a session. A UUID is a 128-bit number, displayed as 32 hexadecimal digits in 5 groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters. For example, 62ea1423-7a4c-ed22-2101-45eda3a6bb01
As described in previous entry.
The Universally Unique Identifier for a session. To change the UUID stored in the informational variable session.assigned.uuid, use this variable.
You can use the session user name variable with the variable assign action to replace the user name value that is passed to an authentication action in the access policy. An authentication action then authenticates with this user name value. For an example, see Example: Using a certificate field for logon name.
The session password variable contains the user password that is collected in the logon page action. This variable stores the password, then sends it to the authentication server. You should not configure the variable assign action to replace this variable.
This table includes the variables you can access in a network access resource, and the formats and values of the variable attributes.
Use this table with the variable assign action, to correctly format the replacement attribute for an existing network access resource configuration variable.
When the session variable requires that you write replacement XML in a specific format, the XML is presented in this table as <tag>tagdata</tag>. In this example, you type both the opening <tag> and the closing </tag> elements as provided, then type the actual XML data between the opening and closing elements. For example, the following is an entry in the table.
<dns_primary>IP Address</ dns_primary>
<dns_secondary>IP Address</ dns_secondary>
</dns>
<dns_primary>4.2.2.1</ dns_primary>
<dns_secondary>4.2.2.2/ dns_secondary>
</dns>
Important: The result of an evaluated expression or custom expression that you use to replace a network access property must provide a value in the format described in the Attribute value format column.
0 - None (no SNAT)
2 - SNAT pool (assigned with the variable snatpool_name)
3 - Automap
The attribute value is the name of an SNAT pool. The SNAT pool must be configured on the Access Policy Manager.
0 = disable compression
1 = enable compression
<address_space_include_dns_name>
<item><dnsname> dnsname1 </dnsname></item>
<item><dnsname> dnsname2 </dnsname></item>
</address_space_include_dns_name>
The attribute value is a space-separated list of subnets. For example:
192.168.30.0/255.255.255.0 172.30.11.0/255.255.255.0
The attribute value is a space-separated list of subnets. For example:
192.168.30.0/255.255.255.0 172.30.11.0/255.255.255.0
Note: If split_tunneling is set to 0 then you must set the following variables:
address_space_exclude_subnet = ""
address_space_include_subnet = "128.0.0.0/128.0.0.0 0.0.0.0/128.0.0.0"
address_space_include_dns_name = "*"
The number for the client interface speed value in the network access resource, in bytes.
<dns>
<dns_primary>IPAddress</ dns_primary>
<dns_secondary>IPAddress</ dns_secondary>
</dns>
<wins>
<wins_primary >IPAddress</ wins_primary >
<wins_secondary>IPAddress</ wins_secondary>
</wins>
The name of the ACL for the network access Resource. The ACL must exist on the Access Policy Manager.
Bool
String
IPAddress
Number
Bool
Vector(String)
< client_proxy_settings >
<client_proxy>1</client_proxy>
<client_proxy_script>proxy_script
</client_proxy_script>
<client_proxy_address>proxyaddress
</ client_proxy_address>
<client_proxy_port>proxyport</client_proxy_port>
<client_proxy_local_bypass>1
</client_proxy_local_bypass>
<client_proxy_exclusion_list>
<item>exclusion_list_item1</item>
<item>exclusion_list_item2</item>
</client_proxy_exclusion_list>
</client_proxy_settings>
Note that <client_proxy> should have the value 1 for the other settings to be effective, otherwise all other setting from <client_proxy_settings> will be ignored.
<drive_mapping>
<item>
<description> description</description>
<path>drive_path</path>
<drive>drive_letter</drive>
</item>
</drive_mapping>
<application_launch>
<item>
<path>path</path>
<parameter>string</parameter>
<os_type>WINDOWS</os_type>
</item>
</application_launch>
For the <os_type> value, type WINDOWS. This field is case sensitive.
<static_host>
<item>
<hostname>hostname</hostname>
<address>IPAddress</address>
</item>
</static_host>
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)